Questions About OFSAAI Security Guide (for OFSAAI 184.108.40.206.0)
(Doc ID 1680802.1)
Last updated on OCTOBER 31, 2019
Applies to:Oracle Financial Services Analytical Applications Infrastructure - Version 220.127.116.11.0 and later
Information in this document applies to any platform.
Below are the Queries raised by the client regarding the OFSAAI 18.104.22.168.0 Security Guide.
Question 1: Section 1.2.3 of the OFSAAI security guide states:
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and a DESCRIPTION (optional) to the configuration table. The ending numeral in the new PARAMNAME should be higher than any other numbers in the group.
For example, if you want to exclude the evaluation of JS keyword “return”, which has the PARAMNAME XSS_JS_KEYWORDS1, you need to update the keyword numeral to XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category. Ensure that the updated number is higher than any other numbers in the group.
How to add Custom Keywords that are to be blocked?
Question 2: Section 2.2.1 of the OFSAAI security guide has configuration steps for restricting cookies to HTTP sessions. Is this configuration a best practice or a Mandatory step?
Question 3: Section 2.2.2 of the OFSAAI security guide has configuration steps for adding the JSESSIONID in the web container. Is this configuration a best practice or a Mandatory step?
Question 4: Are all the URLs mentioned in $FIC_WEB_HOME/webroot/conf/excludeURLList.cfg file excluded from the XSS/SQL/JS keyword checks? If so, why are the checks being skipped for so many URLs, are these considered harmless URLs?
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document